Blockchain-implemented method and system

ABSTRACT

This invention relates generally to distributed ledger technology (including blockchain related technologies), and in particular the use of a blockchain in implementing, controlling and/or automating a task or process. It may relate to the use of a blockchain or related technology for recording or representing the execution of a portion of logic. This portion of logic may be arranged to implement the functionality of a logic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc. . . . . An embodiment of the invention may comprise the steps of: providing a blockchain Transaction comprising a redeem script for an output, wherein the redeem script comprises: i) a plurality of public keys, each associated with a corresponding private key; and wherein each public key is uniquely associated with a potential state of at least one data source; and wherein a minimum number of said private keys must be used to sign an unlocking script of a further blockchain Transaction in order to spend the output; and ii) logic arranged to provide a result based on: A) a determination of which of the plurality of associated private key(s) is/are used to sign the unlocking script, so as to provide an interim result: and B) a comparison of a parameter supplied via the unlocking script against the interim result. The method also comprises the step of attempting to spend the transaction output more than once, each attempt supplying a different parameter.

This invention relates generally to distributed ledger technology(including blockchain related technologies), and in particular the useof a blockchain in implementing, controlling and/or automating a task orprocess. It may relate to the use of a blockchain or related technologyfor recording or representing the execution of a portion of logic. Thisportion of logic may be arranged to implement the functionality of alogic gate, or plurality of logic gates, such as AND, XOR, NOT, OR etc.

It is important to note that in this document we use the term‘blockchain’ for the sake of convenience and ease of reference becauseit is currently the most widely known term in this context. However, theterm is used herein (including in the claims) to include all forms ofelectronic, computer-based distributed ledgers, including, but notlimited to consensus-based blockchain and transaction-chaintechnologies, permissioned and un-permissioned ledgers, shared ledgersand variations thereof.

A blockchain is an electronic ledger which is implemented as acomputer-based decentralised, distributed system made up of blocks whichin turn are made up of transactions. Each transaction includes at leastone input and at least one output. Each block contains a hash of theprevious block to that blocks become chained together to create apermanent, unalterable record of all transactions which have beenwritten to the blockchain since its inception. Transactions containsmall programs known as scripts embedded into their inputs and outputs,which specify how and by whom the outputs of the transactions can beaccessed. On the Bitcoin platform, these scripts are written using astack-based scripting language.

In order for a transaction to be written to the blockchain, it must be“validated”. Network nodes (miners) perform work to ensure that eachtransaction is valid, with invalid transactions rejected from thenetwork. Software clients installed on the nodes perform this validationwork on an unspent transaction (UTXO) by executing its locking andunlocking scripts. If execution of the locking and unlocking scriptsevaluate to TRUE, the transaction is valid and the transaction iswritten to the blockchain.

The most widely known application of blockchain technology is theBitcoin ledger, although other blockchain implementations have beenproposed and developed. While Bitcoin may be referred to herein for thepurpose of convenience and illustration, it should be noted that theinvention is not limited to use with the Bitcoin blockchain andalternative blockchain implementations fall within the scope of theinvention.

Blockchain technology is most widely known for the use of cryptocurrencyimplementation. However, in more recent times, digital entrepreneurshave begun exploring both the use of the cryptographic security systemBitcoin is based on, and the data that can be stored on the Blockchain,to implement new systems. It would be highly advantageous if theblockchain could be used for tasks and processes, such as automatedcontrol processes, which are not limited to the realm of cryptocurrency.Such solutions would be able to harness the benefits of the blockchain(e.g. a permanent, tamper proof records of events, distributedprocessing etc.) while being more versatile in their applications.

Such an improved solution has now been devised. Thus, in accordance withthe present invention there is provided a system and method as definedin the appended claims.

Therefore, in accordance with the invention there may be provided acomputer-implemented method. It may be described as a control method. Itmay control the operation of a technical process or the operation of oneor more devices. Additionally or alternatively, it may control theexecution of a blockchain script. It may control the output produced byan attempt to unlock a locking script associated with a transactionoutput (UTXO). It may control whether or not an output in a blockchaintransaction (UTXO) is unlocked. It may control whether or not a portionof cryptocurrency is transferred from one party to another via ablockchain.

The invention may be arranged substantially in accordance with theembodiment shown in FIG. 3 .

The method may comprise the step of providing a blockchain Transaction(Tx) comprising a redeem script for an output, wherein the redeemscript:

specifies a plurality of public keys. These may be cryptographic keys.They may form part of a private/public key pair. Each of the keys in theplurality (or “list”) may be associated with a corresponding privatekey. Each public key may be uniquely associated with a potential stateof at least one data source. Thus, the redeem script may include a listof public keys, wherein only the corresponding private keys for thosepublic keys may be used to spend the transaction output (TxO).

The result may be determined or influenced by which of the plurality ofassociated private key(s) is used to sign the unlocking script. Acomparison of the private keys used to sign the script may provide aninterim result. The comparison may be performed against a known orpredetermined parameter or value which is provided within the script.This may predetermined parameter or value may represent a computingagent's desire to spend (or not spend) the transaction output.

There may be a comparison of a parameter supplied via the unlockingscript against the interim result.

Thus, embodiments of the invention may allow a blockchain transaction(Tx) to return a non-true value from a script. This may be achieved byusing the parameter to confirm or determine that the output of thescript matches a target value supplied, represented by or otherwiseassociated with the parameter

The method may comprise the step of attempting to spend the transactionoutput more than once. In effect, this is a double (or more) spend.Double spends are traditionally seen as a negative action as it istrying to transfer the same amount of cryptocurrency to differentrecipients. However, in this case it is used to advantage.

Each spend attempt may comprise the step of submitting a (different)transaction to a blockchain network. Each attempt may be performed usinga transaction which provides or supplies a different parameter to theredeem script. Each attempt may generate a blockchain transaction whichattempts to spend the output to a different (blockchain) address.

The parameter supplied via the unlocking script may represent a TRUE ora FALSE. It may be a puzzle such as a cryptographic puzzle. It may be avalue embedded in a key. The method may comprise the step of extractingthe value from the key.

The logic may be arranged to perform an equality check or a comparison.The check or comparison may compare the intermediate result with theparameter. The intermediate result may be provided by executing logicprovided or embedded within the redeem script. This may be a portion oflogic arranged to emulate or provide the functionality of a logic gate.The intermediate result may be placed onto/retrieved from a stack inmemory.

The method may comprise the step of generating the transaction. It maycomprise the step of submitting it to a blockchain.

The transaction and/or further (spending) transaction may be generatedby a computing agent. It may be generated autonomously (without humanintervention) based upon input(s) received from a sensor or other signalsource.

Additionally or alternatively, the redeem script may comprise a portionof logic arranged to provide a result based on which of the plurality ofpublic key(s) is used to sign the unlocking script. Thus, the executionof the logic provided in the redeem script may be determined orinfluenced by which of the associated private keys were used to sign theunlocking script.

Additionally or alternatively, a minimum number of said private keys maybe required to sign an unlocking script of a further blockchainTransaction in order to spend the output.

The result or outcome provided by the logic may be dependent upon adetermination of which (particular) private key(s) were used to sign theunlocking script. The method may comprise the step of matching theprivate key(s) which were used to sign the unlocking script against theassociated public keys provided within the redeem script.

Advantageously, this enables the invention to provide a greater degreeof control than prior art techniques which simply require that a certainnumber of keys are used, rather than which particular keys are used. Bydetermining which particular keys from the plurality are used, theinvention provides an alternative, enhanced security technique whichfacilitates a greater degree of granularity or sophistication whencontrolling the locking/unlocking a transaction output UTXO. Thus, itcan be said that the invention provides an improved cryptographictechnique for controlling the transfer of a portion of cryptocurrency.

The interim result is derived from the logic provided within the redeemscript, and/or is a Boolean value which is calculated by determiningwhich keys were used to sign the unlocking script.

The logic in the redeem script may be arranged to implement thefunctionality of a logic gate. The logic gate may be a NOT, AND, OR,NOR, XOR. IMPLY, NAND, NONIMPLY and/or a XNOR gate. Thus, the inventionmay be described as providing a technique which enables thefunctionality of a logic gate to be simulated or put into effect via ablockchain transaction. The portion of the script logic which emulatesthe logic gate may provide the interim result.

The state of the at least one data source may be determined by acomputing agent. The agent may be arranged to monitor a condition. Thismay be, for example, a condition on a computing network or adevice-related condition, or the condition of an environmental factor,or any other type of quantifiable condition.

The computing agent may be in communication which a control computingagent. This may be referred to herein as a “controller”. The redeemscript may be generated by the controller. One or more agents may bearranged to control a process or apparatus.

One, some or all of the computing agents may comprise a cryptographickey, which may be called an agent base key. This may be generated by theagent(s). It may be derived and/or received from a controller. One ormore of the plurality of keys may be generated or derived from a base or“master” key. The key generation may be a performed using adeterministic key generation technique. The method may comprise the stepof generating or deriving a further or separate key for each possiblestate of a condition which is being monitored by the agent. The furtherkey may be derived from the base key using the technique described belowin the section entitled “Creating a Key Using a shared Secret”.

The result provided by the logic may be a Boolean result or some othertype of result. The logic may provide a result from a restricted rangeof results.

There may be at least two data sources. There may be two potentialstates for, or associated with, each data source. Each potential statemay be associated with, or represented by, a public key. Thus, the listof public keys provided in the redeem script may be used to define,represent or describe all possible states that the data sources(s) mayadopt or enter.

The method may comprise the step:

for each of the at least one data sources:

-   -   associating a public key in the plurality with a potential state        of the data source; such that all possible states of the data        sources are represented by a respective public key.

In other words, each possible state of each data source may beassociated with a public key such that the public key can be used as a(unique) identifier for that state. Thus, the keys may be deliberatelyselected so as to form a mapping between each key and a potential stateof the data source. This may enable the keys to function asrepresentations of the potential states of the data source. Analysis ordetermination of which private keys are used to sign during theunlocking process may then enable a determination of the state of thedata source.

The at least one data source may comprise a sensor. Additionally oralternatively, the data source may comprise a source which is capable ofgenerating and/or transmitting an input signal to a computing resourceor agent.

Each public key may represent a Boolean value indicative of a potentialstate of the at least one data source. For example, is a signal receivedor not received, or is the temperature above 20 degrees C.?

The invention also provides a corresponding system. The system may bearranged to implement any embodiment of the method described above. Thesystem may be arranged to implement a method or technique substantiallyas shown in FIG. 3 .

The invention may provide a computer-implemented system comprising:

-   -   at least one computer-based resource arranged to perform the        step(s) of any method described above; and    -   a blockchain or other type of electronic ledger, or variation of        the Bitcoin ledger. This may be a distributed ledger.

The at least one computer based resource may be arranged to:

-   -   submit a transaction to a blockchain network (this may or may        not be the Bitcoin network—it may be any type of distributed        ledger); and/or    -   generate a transaction; and/or    -   digitally sign a locking script; and/or    -   generate a public/private cryptographic key.

The system may be arranged such that the result is used to control orinfluence the execution or operation of a process or apparatus. Thecomputer-based resource may be referred to as an “agent”.

The system may comprise at least one sensor or other signal/inputgeneration component arranged/configured to provide an input to the atleast one computer based resource.

Any feature described in relation to one aspect or embodiment of theinvention may also be used to effect with one or more otheraspects/embodiments. Any feature described in respect of the method maybe applied to the system and vice versa.

These and other aspects of the present invention will be apparent fromand elucidated with reference to, the embodiment described herein. Anembodiment of the present invention will now be described, by way ofexample only, and with reference to the accompany drawings, in which:

FIG. 1 shows an illustration of an embodiment of the invention.

FIG. 2 shows an illustrative embodiment of the invention in which aplurality of independent computing agents perform the monitoring of theexternal environments to provide inputs into the logic gate transaction.

FIG. 3 shows an overview of a preferred embodiment of the presentinvention.

FIG. 4 shows an example Blockchain transaction arranged in accordancewith an embodiment of the invention, and in which transaction output 1implements the NOR gate with transaction output 2 paying change back tothe Controller.

FIG. 5 shows an overview of another embodiment of the invention.

FIGS. 6 to 10 show a technique for generating a cryptographic key from abase key.

FIG. 11 shows a redeem script in accordance with at least oneembodiment.

FIG. 12 shows a redeem script in accordance with at least oneembodiment.

FIG. 13 shows an unlocking script in accordance with at least oneembodiment

FIG. 14 shows a redeem script in accordance with at least oneembodiment.

FIG. 15 shows an unlocking script in accordance with at least oneembodiment.

The invention provides a novel and advantageous solution for using ablockchain to implement a function. The blockchain is used to provide arecord of the execution of the function and/or a result of its result. Afunction can be a subroutine or procedure (i.e. a process or portion oflogic) which is applied to a set of inputs and returns a set of outputs.In one possible embodiment, the function can be executed ‘off-block’ ieits performance is not blockchain-dependent. The function is performedby a computer-based resource.

A blockchain (e.g. Bitcoin) transaction is a transfer of (e.g. Bitcoin)value which typically references previous transaction outputs as newtransaction inputs and dedicates all input values to new outputs.Transactions are not encrypted, so it is possible to browse and viewevery transaction ever collected into a block. It would be highlyadvantageous, however, to be able to construct a blockchain transactionwhich acts as a function, where the transaction output(s) areconditional or dependent on information supplied. This would enable asophisticated level of behaviour via a blockchain.

Important aspects of the present invention include (but are not limitedto) a method for creating a blockchain transaction that represents afunction where function input(s) are represented by the public keys usedwithin a redeem script of the transaction's output and wherein actualvalues are represented by signatures associated with one or more of thepublic keys.

The invention will be illustrated via use case examples provided below,in which blockchain (e.g. Bitcoin) transactions can be used to representthe functionality provided by a logic gate. This functionality can thenbe used to control some technical process or apparatus.

This invention provides a number of generic novel features above theBlockchain, including:

-   -   The ability to create agents against sensors or other        signal/input generators where the agent is controlled directly        from the Blockchain and requires no other network access in        order to operate;    -   The ability to determine, on a transaction secured by multiple        signatures, which public keys were involved in the transaction        signing process; and    -   The ability to embed a limited, discrete, range of payload        values within the signing keys that can be used to determine        behaviour (i.e. how code executes) within the redeem script.

In addition, embodiments of the invention can make use of the aboveelements to deliver a logic gate (e.g. NOR gate) where the input valuesfrom A and B are embedded within, or represented by, the key used forsigning.

Benefits

The proposed invention offers the following benefits:

-   -   inherently secure by design (the Bitcoin protocol requires no        trusted parties);    -   distributed, so avoids a large single point of failure and is        not vulnerable to attack;    -   easy to manage and maintain, the Bitcoin network is        straightforward to use;    -   inexpensive (just a small transaction fee is usually expected        under the Bitcoin protocol);    -   global and can be used at any time by anyone with access to the        Internet;    -   transparency: once data has been written to the blockchain,        anyone can see it;    -   immutable, once data has been written to the blockchain, no one        can change it; and    -   privacy is maintained, no personally identifying information is        involved.

In order for the invention to operate, it must conform to the existingconstructs and behaviours of the Bitcoin protocol and wallet. FIG. 1shows how a standard Bitcoin transaction (TX) is constructed inaccordance with an embodiment of the invention. (bitcoin is used forillustration only, and other ledgers and associated protocols may beused while still falling within the scope of the invention).

Agent Configuration

An embodiment of the invention comprises the use of a number ofindependent (computing) agents that are arranged to perform themonitoring of external environments to provide inputs into this logicgate transaction, as shown in FIG. 2 . Thus, the computing agents aredesigned to monitor some condition. An input may be received from asensor for this purpose. For example, the agent may monitor a conditionsuch as “is the temperature below zero degrees Celsius?” or any othertype of testable condition. The agent may be arranged, therefore, tomonitor the state of its observed condition.

The agents are in communication with a control or master agent,hereafter referred to as a “controller”. The Controller is arranged tofor operation with the blockchain protocol.

In one or more embodiments, the subordinate agents (e.g. A and B) maycomprise keys which are derived from the controller. However, it shouldbe noted that it is possible for Agent A and Agent B to haveself-generated keys and not derive these from the Controller. Thisrestricts the functionality that the Controller can use on the keys.

In one or more embodiments, each condition being monitored has aseparate monitoring agent set-up with their own key. From this key, theyderive a separate key for the output from their monitoring condition(i.e. for each possible state). These values are deterministicallyderivable from their base key, which could be done at the point ofmonitoring or the agent could pre-derive the values (for example, it maybe more efficient for a true/false sensor to simply pre-define). The keymay be derived from the base key using the technique described below inthe section entitled “Creating a Key Using a shared Secret”.

Agent Behaviour

The embodiment described above allows Agents to have a very tightlydefined behaviour, at their base point they are sensors that aredetecting a single condition and responding on demand to that condition.The following table demonstrates the behaviour pattern for these agents.

Step Description 1 Startup agent, and derive new key from start-upparameters. 2 Wait for transaction signing request. 3 On receipt oftransaction signing request, get data from attached sensor 4 Using datafrom attached sensor, derive new signing key 5 Sign transaction request6 Go to step 2 Note that step 2 is the standard process to implementmulti-signature transactions as known in the prior art. An inventivestep can be seen in Steps 3 and 4 which allow the agent to embed thesensor value in the signature returned from the Agent.

Data Value Extraction & Transaction Evaluation

The redeem script in the transaction then allows the effective de-factoextraction of the values embedded by the autonomous agents. However,this only works where the range of possible values is known in advance;the examples herein are where Agents A and B provide ‘true’/‘false’values but a broader range of values is also possible using this method(e.g. 1, 2, 3, 4, 5). The point is that a unique key is used torepresent each possible value or state, so that the redeem script candetermine what the value is based on which key was used to sign theunlocking script. However, as the logic provided within the redeemscript must be arranged to perform this analysis, the method does notsupport an infinite range of possible values.

The method works by evaluating the signatures supplied by the agentagainst the possible derived public keys for that agent. So, when theredeem script was first constructed by the Controller, it would havedetermined what the public key for each possible input value (state) wasand included these within the payload of the redeem script.

In order for the script to extract this data, it does so by determiningwhich of the public keys was used to sign the transaction and since thescript has been coded to implicitly understand the value that thispublic key represents, it has effectively extracted that value for thepurpose of utilisation within the confines of the script.

Within the Blockchain standard, the built-in OP_CHECKMULTISIGtransaction function allows the evaluation of signatures in order todetermine that enough signatures were collected via the unlockingscript. However, this does not allow the explicit determination of whichwere used. Therefore, the invention provides an improvement over theprior art because it presents a technique for using a Tx to explicitlymatch against particular keys to determine which were used, andtherefore allows much more complexity to be implemented viatransactions. In other words, by determining which subset of theplurality of keys is used in the signing process, it is possible toproduce a more sophisticated behaviour via the blockchain.

For example, in an escrow function it is possible to effectively createan escrow with multiple escrow agents but define a scripting rule thatrequires the provision of a signature of the buyer plus the seller, orthe buyer plus one of the escrow agents or the seller plus one of theescrow agents. This is not possible in the known standard Bitcoinprotocol since the standard construct would allow both of the escrowagents to sign the transaction.

Redeem Script Pseudo Code

In accordance with an embodiment of the invention, logic within theredeem script may be arranged as follows:

IF Validate(sig-Controller,pubK-Controller) =TRUE THEN SET Variable-A =INDETERMINED SET Variable-B = INDETERMINED IFValidate(sig-A,PubK-A-true) =TRUE THEN   SET Variable-A=TRUE ELSE IFValidate(sig-A,PubK-A-false) =TRUE THEN   IF Variable-A=TRUE THEN ReturnFALSE // A is both true and false which is rubbish   ELSE SETVariable-A=FALSE IF Validate(sig-B,PubK-B-True) =TRUE THEN   SETVariable-B=TRUE ELSE IF Validate(sig-B,PubK-B-False) =TRUE THEN   IFVariable-B=TRUE THEN Return FALSE // B is both true and false which isrubbish   ELSE SET Variable-B=FALSE IF Variable-A = INDETERMINED ORVariable-B = INDETERMINED THEN   Return FALSE ELSE   RETURN Variable-ANOR Variable-B ELSE RETURN FALSE

Example Transaction

In an example transaction, transaction output (TxO) 1 implements a NORgate with transaction output 2 paying change back to the Controller. TheTransaction is shown in FIG. 4 .

Redeem Script

The full redeem script is shown in FIG. 11 . This is then broken downinto logical components.

The instruction codes within the box demonstrate the NOR gate payloadcode (block 7 below) which are provided above the signature manipulationlogic required to bring the data into a format which can be validated.

In order to partition into logical ‘sub-functions’ the script is brokendown into a sequence of blocks as shown in the following table for theconvenience of the reader.

Name Script Block Purpose RS OP_DUP This pushes the data bearing Block 1OP_TOALTSTACK signatures across onto the alternative OP_TOALTSTACKstack, before confirming that the OP_DUP controller authorised thetransaction. OP_TOALTSTACK OP_TOALTSTACK <PubK-Controller>OP_CHECKSIGVERIFY <RS Block 2> RS OP_FROMALTSTACK This block evaluateswhich of the A Block 2 <PubK-A-True> public keys has been used to signthis OP_CHECKSIG transaction. The script does not care OP_FROMALTSTACK(at this point) whether any signatures <PubK-A-False> have been used ornot. OP_CHECKSIG <RS Block 3> RS OP_FROMALTSTACK This block evaluateswhether, and Block 3 <PubK-B-True> which, of the two B public keys hasOP_CHECKSIG been used to sign the transaction. The OP_FROMALTSTACKscript does not care (at this point) <PubK-B-False> whether anysignatures have been OP_CHECKSIG used or not. <RS Block 4> RS OP_DUPThis block of code checks to make Block 4 OP_TOALTSTACK sure that:OP_SWAP One, and only one, of the A public OP_DUP keys was used to signthe transaction. OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block 5> RSOP_DUP This block of code checks to make Block 5 OP_TOALTSTACK surethat: OP_SWAP One, and only one, of the B public OP_DUP keys was used tosign the transaction. OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block6> RS OP_FROMALTSTACK This block brings back the validated Block 6OP_FROMALTSTACK key information from the alternative OP_FROMALTSTACKstack and aligns the signals. OP_SWAP OP_FROMALTSTACK <RS Block 7> RSOP_EQUAL This block implements the NOR logic Block 7 OP_TOALTSTACKwithin the script. Note that it can take (NOR) OP_DROP some shortcuts asit knows that either: OP_DROP <B-False-Result> is true OROP_FROMALTSTACK <B-True-Result> is true but they can't both have thesame value; <A-False-Result> is true OR <A-True-Result> is true, butthey can't both have the samevalue.

Locking Script

The locking script is a standard Pay-to-Script-Hash model:

-   -   OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

The required unlocking script is:

-   -   <Sig-Controller> <Sig-A-Used> <Sig-B-Used> <RS Block 1>

Where:

<Sig-A-Used> is either: <Sig-A-True>; or <Sig-A-False> <Sig-B-Used> iseither: <Sig-B-True>; or <Sig-B-False>

Illustration: NOR Logic Gate

The NOR gate is a logic gate that implements a NOT OR. That is, if bothinputs are false, then the output will be true, otherwise the outputwill be false.

A B X 0 0 1 0 1 0 1 0 0 1 1 0

The NOR logic is implemented within a single Bitcoin transaction outputwhich requires a controller signature, plus a signature from the A agentrepresenting either the true or false value, and another signature fromthe B agent (again either true or false). FIG. 1 shows an overview ofhow this NOR method can be implemented via the Bitcoin protocol.

It is possible to implement alternative gates, by replacing RB Block 7as shown in the subsequent sections.

AND Gate

A B X 0 0 0 0 1 0 1 0 0 1 1 1 Name Script Block Purpose RS Block OP_DROPThis block implements the AND logic within the 7 OP_DROP script. Notethat it can take some shortcuts as it (AND) OP_1 knows that either:OP_EQUAL <B-False-Result> is true OR <B-True-Result> OP_EQUAL is truebut they can't both have the same value; <A-False-Result> is true OR<A-True-Result> is true, but they can't both have the same value.

NAND Gate

A B X 0 0 1 0 1 1 1 0 1 1 1 0 Name Script Block Purpose RS Block OP_1This block implements the NAND 7 OP_EQUAL logic within the script. Notethat it (NAND) OP_EQUAL can take some shortcuts as it knowsOP_TOALTSTACK that either: OP_DROP <B-False-Result> is true OR OP_DROP<B-True-Result> is true but they can't OP_FROMALTSTACK both have thesame value; <A-False-Result> is true OR <A-True-Result> is true, butthey can't both have the same value.

OR Gate

A B X 0 0 0 0 1 1 1 0 1 1 1 1 Name Script Block Purpose RS BlockOP_TOALTSTACK This block implements the OR logic 7 OP_0 within thescript. Note that it can take (OR) OP_EQUAL some shortcuts as it knowsthat either: OP_FROMALTSTACK <B-False-Result> is true OR OP_0<B-True-Result> is true but they can't OP_EQUAL both have the samevalue; OP_EQUAL <A-False-Result> is true OR OP_NOT <A-True-Result> istrue, but they can't OP_TOALTSTACK both have the same value. OP_DROPOP_DROP OP_FROMALTSTACK

XOR Gate

A B X 0 0 0 0 1 1 1 0 1 1 1 0 Name Script Block Purpose RS Block OP_1This block implements the XOR logic within the 7 OP_EQUAL script. Notethat it can take some shortcuts as it (XOR) OP_EQUAL knows that either:OP_NOT <B-False-Result> is true OR <B-True-Result> is true but theycan't both have the same value; <A-False-Result> is true OR<A-True-Result> is true, but they can't both have the same value.

XNOR Gate

A B X 0 0 1 0 1 0 1 0 0 1 1 1 Name Script Block Purpose RS Block OP_1This block implements the XNOR logic within the 7 OP_EQUAL script. Notethat it can take some shortcuts as it (XNOR) OP_EQUAL knows that either:<B-False-Result> is true OR <B-True-Result> is true but they can't bothhave the same value; <A-False-Result> is true OR <A-True-Result> istrue, but they can't both have the same value.

NOT Gate

The implementation of this gate is slightly more complicated since itonly has a single input.

A X 0 1 1 0

As a result, the Unlocking Script changes to:

-   -   <Sig-Controller> <Sig-A-Used>        <RS Block 1>

As a result of a single input, the following block changes occur:

Name Script Block Purpose RS Block OP_DUP This pushes the data bearing 1OP_TOALTSTACK signatures across onto the alternative OP_TOALTSTACKstack, before confirming that the

controller authorised the transaction.

<PubK-Controller> OP_CHECKSIGVERIFY <RS Block 2> RS BlockOP_FROMALTSTACK This block evaluates which of the A 2 <PubK-A-True>public keys has been used to sign this OP_CHECKSIG transaction. Thescript does not care OP_FROMALTSTACK (at this point) whether anysignatures <PubK-A-False> have been used or not. OP_CHECKSIG <RS Block4> RS Block

Entire block removed 3

RS Block OP_DUP This block of code checks to make 4 OP_TOALTSTACK surethat: OP_SWAP One, and only one, of the A public OP_DUP keys was used tosign the transaction. OP_TOALTSTACK OP_NUMNOTEQUAL OP_VERIFY <RS Block6> RS Block

Entire block removed 5

RS Block OP_FROMALTSTACK This block brings back the validated 6OP_FROMALTSTACK key information from the alternative

stack and aligns the signals.

<RS Block 7> RS Block OP_NOT This block implements the NOT logic 7within the script. (NOT)

A number of varying embodiments may be provided, as described below.

Variant 1: Generating a TRUE & FALSE SIGNAL

This embodiment may be, substantially, the subject of the presentinvention.

The embodiments described above allow the unsigned transaction output(UTXO) representing the logic gate to be spent only where the gateconditions evaluate to TRUE. In a number of situations, however, itwould be advantageous to spend the output (albeit to different recipientaddresses) regardless of the actual output of the circuit.

This is possible using this Embodiment. Effectively the embodiment shownin FIG. 1 is amended as shown in the FIG. 3 to provide the presentlyclaimed invention. In this embodiment, there is an extra parametersupplied to the redeem script of the first transaction (Tx). This extraparameter can be either a puzzle, or a value embedded in a key or avalue supplied explicitly (as it is in the example). This defines theController's desired outcome to spend the UTXO.

Therefore, for a simple logic gate, the Controller would attempt tospend the transaction twice using the same signatures; one with anexpected TRUE outcome and once with an expected FALSE outcome.

The redeem script will be expanded such that at the end of the gatecalculation it applies an equality check on the output of the gate tothe output requested by the Controller, such that:

If the embedded gate logic returns FALSE, and the desired outcome isFALSE, then the redeem script will evaluate to TRUE and the UTXO can bespent;

If the embedded gate logic returns TRUE, and the desired outcome isTRUE, then the redeem script will evaluate to TRUE and the UTXO can bespent:

If the embedded gate logic returns TRUE, but the desired outcome isFALSE, then the redeem script will evaluate to FALSE and the UTXO cannotbe spent; and

If the embedded gate logic returns FALSE, but the desired outcome isTRUE, then the redeem script will evaluate to FALSE and the UTXO cannotbe spent.

Variant Scripts

The full redeem script is shown in FIG. 12 . This is then broken downinto logical components for the convenience of the reader.

The instruction codes within the box demonstrate the NOR gate payloadcode above the signature manipulation logic to bring the data into aformat which can be validated.

Locking Script

The locking script is a standard Pay-to-Script-Hash model:

-   -   OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

The unlocking script for this pattern of logic gates is shown in FIG. 13.

Variant 2: Generating a Concealed TRUE & FALSE Signal

Variant 1 has a minor disadvantage that it is public knowledge (from theredeem script) whether a true or false condition was signalled from thescript. Embedding the desired signal inside the signature from theController avoids this issue. In variant 2, the Controller has twopublic keys derived from its primary key as shown in FIG. 5 .

Variant Scripts

The full redeem script is shown in FIG. 14 . This is then broken downinto logical components.

The instruction codes within the box demonstrate the NOR gate payloadcode above the signature manipulation logic to bring the data into aformat which can be validated.

Locking Script

The locking script is a standard Pay-to-Script-Hash model:

-   -   OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

The unlocking script for this pattern of logic gates is shown in FIG. 15.

Variant 3: Single Code Stack

It is possible to implement these gates using the single stack, ratherthan making use of the alt stack.

Redeem Script: Overview and NOR

The full redeem script is shown below. This is then broken down intological components

 

The instruction codes within the box demonstrate the NOR gate payloadcode above the signature manipulation logic to bring the data into aformat which can be validated. All stacks are shown in top to bottomordering.

Locking Script

The locking script is a standard Pay-to-Script-Hash model:

-   -   OP_HASH160 <Redeem Script Hash> OP_EQUAL

Unlocking Script

The unlocking script for this pattern of logic gates is (note thedifferent ordering of the signature blocks):

<Sig-B-Used> <Sig-A-Used> <Sig-Controller> <RS Block 1>

Where:

-   -   <Sig-A-Used> is either <Sig-A-True> or <Sig-A-False>    -   <Sig-B-Used> is either <Sig-B-True> or <Sig-B-False>

Alternative Gates

To implement the alternative logic gates, replace the explicit NOR codein the blue rectangle with the following:

Name Block Purpose AND OP_BOOLAND OR OP_BOOLOR NAND OP_BOOLAND OP_NOTXOR OP_NUMNOTEQUAL XNOR OP_NUMEQUAL IMPLY OP_SWAP OP_NOT OP_BOOLORConverse Implication OP_NOT OP_BOOLOR Material Non-implication OP_NOTOP_BOOLAND Converse Non-implication OP_SWAP OP_NOT OP_BOOLAND

Scenario: Burglar Alarm Setting (NOR Gate)

A simple example for the above embodiment utilising the NOR gate is thesetting of a burglar alarm.

In this example, Agent A is a door sensor on the loading bay door thatsignals TRUE when the door is open and FALSE when closed.

Agent B is also a door sensor, but on the cash safe within the building.It also signals TRUE when the door is open and FALSE when closed. Thecontroller is the central alarm system and it will only set the alarm ifall doors within the building are closed. So, when the controller isrequested to set the alarm, it will broadcast a transaction to thevarious monitoring agents. The transaction will complete only when AgentA and Agent B signal that their respective doors are closed.

We now describe a technique for generating a new key from a base key, asdiscussed above.

Creating a Key Using a Shared Secret The following technique isdescribed with reference to FIGS. 5 to 9 .

Using the following technique, a key may be securely held or recreated.Particularly, in the case of a private key which may be used to derive apublic key, the private key may be stored in parts.

The user, i.e. Alice or Bob, may keep one part of their private key, aservice provider may keep a second part and a third part may be kept ata remote secure site. The private key may be reconstituted using any twoof the three parts, or, more generally, the private key may bereconstituted using any m of n parts.

If the private key can be reconstituted then it can be used to recreatea public key at the point of use and then the private key and the publickey can be discarded again after use.

Splitting private keys may be achieved using Shamir's Secret SharingScheme. Private key-public key pairs may be deterministically derivedfrom a master key using the following method. This method enables secretvalues to be shared by participants without ever transmitting them.

The system may generate a public key for a participant using a method ofsub-key generation as now described.

FIG. 5 illustrates a system 1 that includes a first node 3 which is incommunication with a second node 7 over a communications network 5. Thefirst node 3 has an associated first processing device 23 and the secondnode 5 has an associated second processing device 27. The first andsecond nodes 3, 7 may include an electronic device, such as a computer,phone, tablet computer, mobile communication device, computer serveretc. In one example, the first node 3 may be a client (user) device andthe second node 7 may be a server. The server may be a digital walletprovider's server.

The first node 3 is associated with a first asymmetric cryptography pairhaving a first node master private key (V_(1C)) and a first node masterpublic key (P_(1C)). The second node (7) is associated with a secondasymmetric cryptography pair having a second node master private key(V_(1S)) and a second node master public key (P_(1S)). In other words,the first and second nodes are each in possession of respectivepublic-private key pairs.

The first and second asymmetric cryptography pairs for the respectivefirst and second nodes 3, 7 may be generated during a registrationprocess, such as registration for a wallet. The public key for each nodemay be shared publicly, such as over communications network 5.

To determine a common secret (CS) at both the first node 3 and secondnode 7, the nodes 3, 7 perform steps of respective methods 300, 400without communicating private keys over the communications network 5.

The method 300 performed by the first node 3 includes determining 330 afirst node second private key (V_(2C)) based on at least the first nodemaster private key (V_(1C)) and a Generator Value (GV). The GeneratorValue may be based on a message (M) that is a shared between the firstand second nodes, which may include sharing the message over thecommunications network 5 as described in further detail below. Themethod 300 also includes determining 370 a second node second public key(P_(2S)) based on at least the second node master public key (P_(1S))and the Generator Value (GV). The method 300 includes determining 380the common secret (CS) based on the first node second private key(V_(2C)) and the second node second public key (P_(2S)).

Importantly, the same common secret (CS) can also be determined at thesecond node 7 by method 400. The method 400 includes determining 430 afirst node second public key (P_(2C)) based on the first node masterpublic key (P_(1C)) and the Generator Value (GV). The method 400 furtherinclude determining 470 a second node second private key (V_(2S)) basedon the second node master private key (V_(1S)) and the Generator Value(GV). The method 400 includes determining 480 the common secret (CS)based on the second node second private key (V_(2S)) and the first nodesecond public key (P_(2C)).

The communications network 5 may include a local area network, a widearea network, cellular networks, radio communication network, theinternet, etc. These networks, where data may be transmitted viacommunications medium such as electrical wire, fibre optic, orwirelessly may be susceptible to eavesdropping, such as by aneavesdropper 11. The method 300, 400 may allow the first node 3 andsecond node 7 to both independently determine a common secret withouttransmitting the common secret over the communications network 5.

Thus one advantage is that the common secret (CS) may be determinedsecurely and independently by each node without having to transmit aprivate key over a potentially unsecure communications network 5. Inturn, the common secret may be used as a secret key (or as the basis ofa secret key).

The methods 300, 400 may include additional steps. The method 300 mayinclude, at the first node 3, generating a signed message (SM1) based onthe message (M) and the first node second private key (V_(2C)). Themethod 300 further includes sending 360 the first signed message (SM1),over the communications network, to the second node 7. In turn, thesecond node 7 may perform the steps of receiving 440 the first signedmessage (SM1). The method 400 also includes the step of validating 450the first signed message (SM2) with the first node second public key(P_(2C)) and authenticating 460 the first node 3 based on the result ofvalidating the first signed message (SM1). Advantageously, this allowsthe second node 7 to authenticate that the purported first node (wherethe first signed message was generated) is the first node 3. This isbased on the assumption that only the first node 3 has access to thefirst node master private key (V_(1C)) and therefore only the first node3 can determine the first node second private key (V_(2C)) forgenerating the first signed message (SM1). It is to be appreciated thatsimilarly, a second signed message (SM2) can be generated at the secondnode 7 and sent to the first node 3 such that the first node 3 canauthenticate the second node 7, such as in a peer-to-peer scenario.

Sharing the message (M) between the first and second nodes may beachieved in a variety of ways. In one example, the message may begenerated at the first node 3 which is then sent, over thecommunications network 5, the second node 7. Alternatively, the messagemay be generated at the second node 7 and then sent, over thecommunications network 5, to the second node 7. In some examples, themessage (M) may be public and therefore may be transmitted over anunsecure network 5. One or more messages (M) may be stored in a datastore 13, 17, 19. The skilled person will realise that sharing of themessage can be achieved in a variety of ways.

Advantageously, a record to allow recreation of the common secret (CS)may be kept without the record by itself having to be stored privatelyor transmitted securely.

Method of Registration 100, 200

An example of a method of registration 100, 200 is now described inwhich method 100 is performed by the first node 3 and method 200 isperformed by the second node 7. This includes establishing the first andsecond asymmetric cryptography pairs for the respective first and secondnodes 3, 7. The asymmetric cryptography pairs include associated privateand public keys, such as those used in public-key encryption. In thisexample, the asymmetric cryptography pairs are generated using EllipticCurve Cryptography (ECC) and properties of elliptic curve operations.

In the method 100, 200, this includes the first and second nodesagreeing 110, 210 on a common ECC system and using a base point (G).(Note: the base point could be referred to as a Common Generator, butthe term ‘base point’ is used to avoid confusion with the GeneratorValue GV). In one example, the common ECC system may be based onseep256K1 which is an ECC system used by Bitcoin. The base point (G) maybe selected, randomly generated, or assigned.

Turning now to the first node 3, the method 100 includes settling 110 onthe common ECC system and base point (G). This may include receiving thecommon ECC system and base point from the second node 7, or a third node9. Alternatively, a user interface 15 may be associated with the firstnode 3, whereby a user may selectively provide the common ECC systemand/or base point (G). In yet another alternative one or both of thecommon ECC system and/or base point (G) may be randomly selected by thefirst node 3. The first node 3 may send, over the communications network5, a notice indicative of using the common ECC system with a base point(G) to the second node 7. In turn, the second node 7 may settle 210 bysending a notice indicative of an acknowledgment to using the common ECCsystem and base point (G).

The method 100 also includes the first node 3 generating 120 a firstasymmetric cryptography pair that includes the first node master privatekey (V_(1C)) and the first node master public key (P_(1C)). Thisincludes generating the first master private key (V_(1C)) based, atleast in part, on a random integer in an allowable range specified inthe common ECC system. This also includes determining the first nodemaster public key (P_(1C)) based on elliptic curve point multiplicationof the first node master private key (P_(1C)) and the base point (G)according to the formula:P _(1C) =V _(1C) ×G  (Equation 1)

Thus the first asymmetric cryptography pair includes:

-   -   V_(1C): The first node master private key that is kept secret by        the first node.    -   P_(1C): The first node master public key that is made publicly        known.

The first node 3 may store the first node master private key (V_(1C))and the first node master public key (P_(1C)) in a first data store 13associated with the first node 3. For security, the first node masterprivate key (V_(1C)) may be stored in a secure portion of the first datastore 13 to ensure the key remains private.

The method 100 further includes sending 130 the first node master publickey (P_(1C)), over the communications network 5, to the second node 7,as shown in FIG. 6 . The second node 7 may, on receiving 220 the firstnode master public key (P_(1C)), store 230 the first node master publickey (P_(1C)) in a second data store 17 associated with the second node7.

Similar to the first node 3, the method 200 of the second 7 includesgenerating 240 a second asymmetric cryptography pair that includes thesecond node master private key (V_(1S)) and the second node masterpublic key (P_(1S)). The second node master private key (V_(1S)) is alsoa random integer within the allowable range. In turn, the second nodemaster public key (P_(1S)) is determined by the following formula:P _(1S) =V _(1S) ×G  (Equation 2)

Thus the second asymmetric cryptography pair includes:

-   -   V_(1S): The second node master private key that is kept secret        by the second node.    -   P_(1S): The second node master public key that is made publicly        known.

The second node 7 may store the second asymmetric cryptography pair inthe second data store 17. The method 200 further includes sending 250the second node master public key (P_(1S)) to the first node 3. In turn,the first node 3 may receive 140 and stores 150 the second node masterpublic key (P_(1S)).

It is to be appreciated that in some alternatives, the respective publicmaster keys may be received and stored at a third data store 19associated with the third node 9 (such as a trusted third party). Thismay include a third party that acts as a public directory, such as acertification authority. Thus in some examples, the first node masterpublic key (P_(1C)) may requested and received by the second node 7 onlywhen determining the common secret (CS) is required (and vice versa).

The registration steps may only need to occur once as an initial setup.

Session Initiation and Determining the Common Secret by the First Node 3

An example of determining a common secret (CS) will now be described.The common secret (CS) may be used for a particular session, time,transaction, or other purpose between the first node 3 and the secondnode 7 and it may not be desirable, or secure, to use the same commonsecret (CS). Thus the common secret (CS) may be changed betweendifferent sessions, time, transactions, etc.

The following is provided for illustration of the secure transmissiontechnique which has been described above.

Generating a message (M) 310

In this example, the method 300 performed by the first node 3 includesgenerating 310 a message (M). The message (M) may be random, pseudorandom, or user defined. In one example, the message (M) is based onUnix time and a nonce (and arbitrary value). For example, the message(M) may be provided as:Message(M)=UnixTime+nonce  (Equation 3)

In some examples, the message (M) is arbitrary. However it is to beappreciated that the message (M) may have selective values (such as UnixTime, etc.) that may be useful in some applications.

The method 300 includes sending 315 the message (M), over thecommunications network 3, to the second node 7. The message (M) may besent over an unsecure network as the message (M) does not includeinformation on the private keys.

Determining a Generator Value (GV) 320

The method 300 further includes the step of determining 320 a GeneratorValue (GV) based on the message (M). In this example, this includesdetermining a cryptographic hash of the message. An example of acryptographic hash algorithm includes SHA-256 to create a 256-bitGenerator Value (GV). That is:GV=SHA-256(M)  (Equation 4)

It is to be appreciated that other hash algorithms may be used. This mayinclude other has algorithms in the Secure Hash Algorithm (SHA) family.Some particular examples include instances in the SHA-3 subset,including SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256.Other hash algorithms may include those in the RACE Integrity PrimitivesEvaluation Message Digest (RIPEMD) family. A particular example mayinclude RIPEMD-160. Other hash functions may include families based onZémor-Tillich hash function and knapsack-based hash functions.

Determining a First Node Second Private Key 330

The method 300 then includes the step 330 of determining 330 the firstnode second private key (V_(2C)) based on the second node master privatekey (V_(1C)) and the Generator Value (GV). This can be based on a scalaraddition of the first node master private key (V_(1C)) and the GeneratorValue (GV) according to the following formula:V _(2C) =V _(=1C) +GV  (Equation 5)

Thus the first node second private key (V_(2C)) is not a random valuebut is instead deterministically derived from the first node masterprivate key. The corresponding public key in the cryptographic pair,namely the first node second public key (P_(2C)), has the followingrelationship:P _(2C) =V _(2C) ×G  (Equation 6)

Substitution of V_(2C) from Equation 5 into Equation 6 provides:P _(2C)=(V _(1C) +GV)×G  (Equation 7)

where the ‘+’ operator refers to elliptic curve point addition. Notingthat elliptic curve cryptography algebra is distributive, Equation 7 maybe expressed as:P _(2C) =V _(1C) ×G+GV×G  (Equation 8)

Finally, Equation 1 may be substituted into Equation 7 to provide:P _(2C) =P _(1C) +GV×G  (Equation 9.1)P _(2C) =P _(1C)+SHA-256(M)×G  (Equation 9.2)

Thus the corresponding first node second public key (P_(2C)) can bederivable given knowledge of the first node master public key (P_(1C))and the message (M). The second node 7 may have such knowledge toindependently determine the first node second public key (P_(2C)) aswill be discussed in further detail below with respect to the method400.

Generate a First Signed Message (SM1) Based on the Message and the FirstNode Second Private Key 350

The method 300 further includes generating 350 a first signed message(SM1) based on the message (M) and the determined first node secondprivate key (V_(2C)). Generating a signed message includes applying adigital signature algorithm to digitally sign the message (M). In oneexample, this includes applying the first node second private key(V_(2C)) to the message in an Elliptic Curve Digital Signature Algorithm(ECDSA) to obtain the first signed message (SM1). Examples of ECDSAinclude those based on ECC systems with secp256k 1, secp256r1,secp384r1, se3cp52 r1.

The first signed message (SM1) can be verified with the correspondingfirst node second public key (P_(2C)) at the second node 7. Thisverification of the first signed message (SM1) may be used by the secondnode 7 to authenticate the first node 3, which will be discussed in themethod 400 below.

Determine a Second Node Second Public Key 370′

The first node 3 may then determine 370 a second node second public key(P_(2S)). As discussed above, the second node second public key (P_(2S))may be based at least on the second node master public key (P_(1S)) andthe Generator Value (GV). In this example, since the public key isdetermined 370′ as the private key with elliptic curve pointmultiplication with the base point (G), the second node second publickey (P_(2S)) can be expressed, in a fashion similar to Equation 6, as:P _(2S) =V _(2S) ×G  (Equation 10.1)P _(2S) =P _(1S) +GV×G  (Equation 10.2)

The mathematical proof for Equation 10.2 is the same as described abovefor deriving Equation 9.1 for the first node second public key (P_(2C)).It is to be appreciated that the first node 3 can determine 370 thesecond node second public key independently of the second node 7.

Determine the Common Secret 380 at the First Node 3

The first node 3 may then determine 380 the common secret (CS) based onthe determined first node second private key (V_(2C)) and the determinedsecond node second public key (P_(2S)). The common secret (CS) may bedetermined by the first node 3 by the following formula:S=V _(2C) ×P _(2S)  (Equation 11)

Method 400 Performed at the Second Node 7

The corresponding method 400 performed at the second node 7 will now bedescribed. It is to be appreciated that some of these steps are similarto those discussed above that were performed by the first node 3.

The method 400 includes receiving 410 the message (M), over thecommunications network 5, from the first node 3. This may include themessage (M) sent by the first node 3 at step 315. The second node 7 thendetermines 420 a Generator Value (GV) based on the message (M). The stepof determining 420 the Generator Value (GV) by the second node 7 issimilar to the step 320 performed by the first node described above. Inthis example, the second node 7 performs this determining step 420independent of the first node 3.

The next step includes determining 430 a first node second public key(P_(2C)) based on the first node master public key (P_(1C)) and theGenerator Value (GV). In this example, since the public key isdetermined 430′ as the private key with elliptic curve pointmultiplication with the base point (G), the first node second public key(P_(2C)) can be expressed, in a fashion similar to Equation 9, as:P _(2C) =V _(2C) ×G  (Equation 12.1)P _(2C) =P _(1C) +GV×G  (Equation 12.2)

The mathematical proof for Equations 12.1 and 12.2 is the same as thosediscussed above for Equations 10.1 and 10.2.

The Second Node 7 Authenticating the First Node 3

The method 400 may include steps performed by the second node 7 toauthenticate that the alleged first node 3, is the first node 3. Asdiscussed previously, this includes receiving 440 the first signedmessage (SM1) from the first node 3. The second node 7 may then validate450 the signature on the first signed message (SM1) with the first nodesecond public key (P_(2C)) that was determined at step 430.

Verifying the digital signature may be done in accordance with anElliptic Curve Digital Signature Algorithm (ECDSA) as discussed above.Importantly, the first signed message (SM1) that was signed with thefirst node second private key (V_(2C)) should only be correctly verifiedwith the corresponding first node second public key (P_(2C)), sinceV_(2C) and P_(2C) form a cryptographic pair. Since these keys aredeterministic on the first node master private key (V_(1C)) and thefirst node master public key (P_(1C)) that were generated atregistration of the first node 3, verifying first signed message (SM1)can be used as a basis of authenticating that an alleged first nodesending the first signed message (SM1) is the same first node 3 duringregistration. Thus the second node 7 may further perform the step ofauthenticating (460) the first node 3 based on the result of validating(450) the first signed message.

The Second Node 7 Determining the Common Secret

The method 400 may further include the second node 7 determining 470 asecond node second private key (V_(2S)) based on the second node masterprivate key (V_(1S)) and the Generator Value (GV). Similar to step 330performed by the first node 3, the second node second private key(V_(2S)) can be based on a scalar addition of the second node masterprivate key (V_(1S)) and the Generator Value (GV) according to thefollowing formulas:V _(2S) =V _(1S) +GV  (Equation 13.1)V _(2S) =V _(1S)+SHA-256(M)  (Equation 13.2)

The second node 7 may then, independent of the first node 3, determine480 the common secret (CS) based on the second node second private key(V_(2S)) and the first node second public key (P_(2C)) based on thefollowing formula:S=V _(2S) ×P _(2C)  (Equation 14)

Proof of the Common Secret (CS) Determined by the First Node 3 andSecond Node 7

The common secret (CS) determined by the first node 3 is the same as thecommon secret (CS) determined at the second node 7. Mathematical proofthat Equation 11 and Equation 14 provide the same common secret (CS)will now be described.

Turning to the common secret (CS) determined by the first node 3,Equation 10.1 can be substituted into Equation 11 as follows:S=V _(2C) ×P _(2S)S=V _(2C)×(V _(2S) ×G)  (Equation 11)S=(V _(2C) ×V _(2S))×G  (Equation 15)

Turning to the common secret (CS) determined by the second node 7.Equation 12.1 can be substituted into Equation 14 as follows:S=V _(2S) ×P _(2C)S=V _(2S)×(V _(2C) ×G)  (Equation 14)S=(V _(2S) ×V _(2C))×G  (Equation 16)

Since ECC algebra is commutative, Equation 15 and Equation 16 areequivalent, since:S=(V _(2C) ×V _(2S))×G=(V _(2S) ×V _(2C))×G  (Equation 17)

The Common Secret (CS) and Secret Key

The common secret (CS) may now be used as a secret key, or as the basisof a secret key in a symmetric-key algorithm for secure communicationbetween the first node 3 and second node 7.

The common secret (CS) may be in the form of an elliptic curve point(xs, ys). This may be converted into a standard key format usingstandard publicly known operations agreed by the nodes 3, 7. Forexample, the xs value may be a 256-bit integer that could be used as akey for AES₂₅₆ encryption. It could also be converted into a 160-bitinteger using RIPEMD 160 for any applications requiring this length key.

The common secret (CS) may be determined as required. Importantly, thefirst node 3 does not need to store the common secret (CS) as this canbe re-determined based on the message (M). In some examples, themessage(s) (M) used may be stored in data store 13, 17, 19 (or otherdata store) without the same level of security as required for themaster private keys. In some examples, the message (M) may be publiclyavailable. However depending on some application, the common secret (CS)could be stored in the first data store (X) associated with the firstnode provided the common secret (CS) is kept as secure as the first nodemaster private key (V_(1C)).

Advantageously, this technique can be used to determine multiple commonsecrets that may correspond to multiple secure secret keys based on asingle master key cryptography pair.

It should be noted that the above-mentioned embodiments illustraterather than limit the invention, and that those skilled in the art willbe capable of designing many alternative embodiments without departingfrom the scope of the invention as defined by the appended claims. Inthe claims, any reference signs placed in parentheses shall not beconstrued as limiting the claims. The word “comprising” and “comprises”,and the like, does not exclude the presence of elements or steps otherthan those listed in any claim or the specification as a whole. In thepresent specification, “comprises” means “includes or consists of” and“comprising” means “including or consisting of”. The singular referenceof an element does not exclude the plural reference of such elements andvice-versa. The invention may be implemented by means of hardwarecomprising several distinct elements, and by means of a suitablyprogrammed computer. In a device claim enumerating several means,several of these means may be embodied by one and the same item ofhardware. The mere fact that certain measures are recited in mutuallydifferent dependent claims does not indicate that a combination of thesemeasures cannot be used to advantage.

The invention claimed is:
 1. A computer-implemented control methodcomprising: providing a blockchain transaction comprising a redeemscript for an output, wherein the redeem script comprises: i) aplurality of public keys, each public key of the plurality of publickeys associated with a corresponding private key, wherein: each publickey is uniquely associated with a potential state of at least one datasource; the at least one data source comprises a sensor or a signalgeneration component that provides an input indicating a state of the atleast one data source; and a minimum number of said plurality ofassociated private keys must be used to sign an unlocking script of afurther blockchain transaction in order to spend the output; and ii)logic arranged to provide a result based on: a determination of which ofthe plurality of associated private keys is used to sign the unlockingscript, so as to provide an interim result, wherein the interim resultis determined by which of the plurality of associated private keys isused to sign the unlocking script; and a comparison of a parametersupplied via the unlocking script against the interim result; andattempting to spend the output more than once by submitting a differentblockchain transaction to a blockchain network, each attempt supplying adifferent parameter to the redeem script.
 2. The computer-implementedcontrol method according to claim 1, wherein the logic is arranged toimplement functionality of a logic gate.
 3. The computer-implementedcontrol method according to claim 2, wherein the logic gate is a NOT,AND, OR, NOR, XOR, IMPLY, NAND, NONIMPLY, or XNOR gate.
 4. Thecomputer-implemented control method according to claim 1, wherein thestate of the at least one data source is determined by a computingagent.
 5. The computer-implemented control method according to claim 4,wherein the computing agent is in communication with a control computingagent.
 6. The computer-implemented control method according to claim 1,wherein the result is a Boolean result.
 7. The computer-implementedcontrol method according to claim 1, wherein there are at least two datasources.
 8. The computer-implemented control method according to claim1, wherein there are two potential states for each data source, eachpotential state of the at least two potential states being associatedwith, or represented by, a respective public key.
 9. Thecomputer-implemented control method according to claim 1, furthercomprising: for each of the at least one data source: associating arespective public key in the plurality with a respective potential stateof the data source, such that all possible states of the data source arerepresented by respective public keys.
 10. The computer-implementedcontrol method according to claim 1, wherein each public key representsa respective Boolean value indicative of the potential state of the atleast one data source.
 11. The computer-implemented control methodaccording to claim 1, wherein the parameter is a value, or a puzzle, ora value embedded in a key.
 12. The computer-implemented control methodaccording to claim 1, wherein the logic is arranged to perform anequality check to compare the interim result with the parameter.
 13. Thecomputer-implemented control method according to claim 1, wherein theinterim result is derived from the logic provided within the redeemscript, and/or is a Boolean value that is calculated by determiningwhich of the plurality of associated private keys were used to sign theunlocking script.
 14. The computer-implemented control method accordingto claim 1, further comprising generating or deriving one or more of theplurality of public keys from a base or master key.
 15. Thecomputer-implemented control method according to claim 14, wherein: thegenerating or the deriving is performed using a deterministic keygeneration technique.
 16. The computer-implemented control methodaccording to claim 1, wherein the determination of which of theplurality of associated private keys is used to sign the unlockingscript is based on the input.
 17. A computer-implemented systemcomprising hardware arranged to implement: at least one computer-basedresource comprising: one or more processors; and memory storingexecutable instructions that, being executed by the one or moreprocessors, cause the computer-implemented system to: provide a firstblockchain transaction comprising a redeem script for an output, whereinthe redeem script comprises: i) a plurality of public keys, each publickey of the plurality of public keys associated with a correspondingprivate key wherein: each public key is uniquely associated with apotential state of at least one data source; the at least one datasource comprises a sensor or a signal generation component that providesan input indicating a state of the at least one data source; and aminimum number of said plurality of associated private keys must be usedto sign an unlocking script of a second blockchain transaction in orderto spend the output; and ii) logic arranged to provide a result basedon: a determination of which of the plurality of associated private keysis used to sign the unlocking script, so as to provide an interimresult, wherein the interim result is determined by which of theplurality of associated private keys is used to sign the unlockingscript; and a comparison of a parameter supplied via the unlockingscript against the interim result; and attempt to spend the output morethan once by submitting a different blockchain transaction to ablockchain network, each attempt supplying a different parameter to theredeem script; and a blockchain.
 18. The computer-implemented systemaccording to claim 17, wherein execution of the executable instructionsby the one or more processors further cause the computer-implementedsystem to: submit the first blockchain transaction to the blockchainnetwork; generate the second blockchain transaction; digitally sign theunlocking script; and/or generate the plurality of public keys and theplurality of associated private keys.
 19. The computer-implementedsystem according to claim 17, wherein the result is used to control orinfluence further execution or operation of a process or apparatus. 20.The computer-implemented system according to claim 17, furthercomprising additional hardware comprising the at least one sensor orsignal generation component arranged and configured to provide the inputto the at least one computer-based resource.